12 Encryption Manager (EM)
The Encryption Manager (EM) provides the ability to change the encryption key within Fleet Management and below are the guidelines.
Table 12-1 FMS Encryption Manager Screen
| Tabs | Description |
|---|---|
|
Encryption |
This function allow you to select and decide the column(s) to encrypt. You can view the currently decrypted columns and add columns as part of an encryption. |
|
Decryption |
Tab shows the columns that are encrypted and need to be removed from encryption, and information are shown as plain text in future. You can select and decide whether to decrypt it from the currently available columns. |
|
Encryption Key |
This tab is used to rotate the key. It auto decrypts the encrypted data with the original key in AES-CBC mode, update the new key, and encrypts data with a new key in AES-GCM mode. For data migration during upgrade, it will continue to use the AES-CBC mode. AES-GCM mode will only enforce once you choose to rotate the key. |
|
Encrypted Data PCI Adjustment |
Function retrieves the data that is older than a year and in an encrypted form, decrypt it and masks the number except last 4 digits >, and then re-encrypt before storing the data. Example:
|
|
Conversion from Old to New |
This function retrieves the encrypted data and decrypt it using the old method and encrypt it with the new method. FMS Encryption Manager fetches the information from the Encryption table and knows whether the data is in FMS or SPMS method. If the FMS Sender (FM sender 8.4. and above) uses the old method, you need to first install the Encryption Manager and convert the data to new method using this tab. The latest version of Sender uses only the SPMS new algorithm and does not support the old method. There is a prerequisite to run the script When converting from old to new method, it checks for all data that has NULL in the Encryption Type column, convert and is marked it as new. Prerequisite: Select FidelioBK in Sender and Receiver on both sides. The scenarios can be:
New method= SPMS (new algorithm). SPMS 8.0 and above uses the new algorithm explicitly. FMS Data Viewer also must be v8.4 and above. |
|
RSA Encryption Key |
Third-party vendor/reservation system encrypts the reservation files with the Public Key generated by Encryption Manager before sending the files to MSMQ. The Private Key stored in the CDTI XML Template is used to decrypt the incoming files in MSMQ before inserting them into the CDTI. |
|
PGP Keys |
Function in this tab uploads the PGP public key of the ship to the database with AES encryption. FMS ResOnline uses the public key to encrypt the reservations credit card PAN in FCRESVINT, allowing DGS ResOnline to decrypt it with the ship's private key. |
|
Settings |
Use to view and configure settings. |
To process credit card data, you must first upload the Public Key using the FMS Encryption Manager for Reservation Online to encrypt the credit card number when processing the data. You need to upload the PGP Key pair to both FMS and SPMS so that SPMS can decrypt the credit card number received from FMS.
-
Ensure that there are no pending transactions in Reservation Online (FMS) and DGS Resonline (SPMS).
-
Generate new PGP Key pair using a third-party application.
-
In SPMS, upload the new PGP Public and Secret (Private) keys with OHC Tools, DGS Credit Card Set 1 or DGS Credit Card Set 2 tab.
-
Provide the new Public Key to FMS (Shore side) and third-party reservation system.
-
Update the new Public Key in FMS using Encryption Manager, PGP Key function.
-
Restart the FMS Reservation Online to apply the new key.